Mageia forum

[rychok]

I have now three computers running Mageia4 one was installed as RC and updated to 4, the other two were updated from Mageia3.
All of them have same behavior as far as authentication for some tasks usually required root password to start.
AFAIK wheel group users had some extra convenience and the root password was active for them for some time. Now if I become wheel group member I'm asked for my user password instead of root password, so one level of security is missing, only one password is required to do administrative tasks. And even if I ask in MCC for "Administrator" password ( are we having more peoples from Microsoft? In UNIX/Linux it used to be "root") for software management, and other MCC tasks I'm always asked for my user password. At this point I just removed myself from wheel group.

I do not know if this is a bug, or some miss-configuration that happened during upgrade, or - I can't thing of the reason why it might be - it was changed deliberately and it is now default behavior?

[doktor5000]

At first, there was a major change for authentication, at least for the Mageia tools: https://wiki.mageia.org/en/Mageia_4_Rel ... entication
And a quick grep shows that by default members of the wheel group get additional priviledges, see /etc/polkit-1/rules.d/50-default.rules

So I'd say at least that far it works as designed so far, as no user is in wheel group by default. By default Mageia tools require root
password for almost all of them and you can change the required authentication via draksec as mentioned in the Release Notes.

For polkit configuration also see https://wiki.archlinux.org/index.php/Po ... identities or maybe http://askubuntu.com/questions/184085/p ... roup-wheel

[colin]

This "users in wheel group are considered as administrators" is an upstream polkit default.

The rule is defined here: /etc/polkit-1/rules.d/50-default.rules

Since our tools have migrated to polkit (as opposed to usermode consolehelper) this rule now kicks in (the same behaviour for polkit has been present since MGA2 IIRC, so it's only exposed here rather than a "change" in polkit behaviour)

Other tasks that required polkit auth (e.g. changing date and time, adding users etc in GNOME) would have followed this rule for a while, so we're standardising now.

Hope this helps!

Col

[doktor5000]

This "users in wheel group are considered as administrators" is an upstream polkit default.

The rule is defined here: /etc/polkit-1/rules.d/50-default.rules

That's what the arch wiki says too - but thanks for commenting

[rychok]

Thank you for your replies.
I took a quick look into polkit man page, from what I have seen there is an additional package with desktop rules that was not installed during update. This package changed a little behavior for password requirements. After installing it I was able to access MCC without entering my password for some time, but without icon in systray with option to stop it (what was nice to have), but even all the rules in polkit configuration for draktoos have "KEEP" in the values, when I was accessing drakrpm from menu, I was asked for password every time. My assumption was that in this case it should gave me some time for lunching drakrpm without asking for password again. Forcing of retyping user password in my opinion is lowering security (all my computers are home computers, and no one is going to try get my password by watching what I am typing), and is a little step back in convenience. I also think the two step authentication (user and root passwords) for administration was more secure, but for personal desktop may not be required.

[doktor5000]

Well, I don't quite get your point.
You can configure all draktool to either require user or root or no password via draksec:
https://doc.mageia.org/mcc/4/en/content/draksec.html (looks a bit different actually in Mageia 4)

Don't quite understand what your requirements are or the use case.
(Usually for my own box I configure sudo for passwordless stuff and switch e.g. update applet to require no password for convenience)

[rychok]

Mostly I was just trying to find out if this is a new way of handling this, or my update did not go correctly at some point.
So I do see now why there is a change in MCC and for Mageia tools there is no more option for root password, instead we have administrator (any wheel group member) password.
I did not have polkit desktop policy package installed so I was asked for password every time I was opening MCC (even few seconds apart- I was doing this just for checking), with this package there is a grace period for lunching MCC.
But I thing there is some inconsistency because this ruled do not apply for opening software management invoked from menu. This one is asking for password every time. Again I do not see this as any issue, in my case I will just remove myself from wheel group, that will practically bring the previous behavior for single user system.

[doktor5000]

So I do see now why there is a change in MCC and for Mageia tools there is no more option for root password, instead we have administrator (any wheel group member) password.

Sorry, you got that wrong. root password is administrator password, that's just the wording in polkit dialog and comes from upstream, not from Mageia.
By adding users to wheel group, you grant them special administrative permissions.

Please mark the thread accordingly by editing the topic of the first post and prefix it by [DONE], thanks